Clarify SSO credential authorization as GitHub Enterprise Cloud–only in credential types reference#43860
Clarify SSO credential authorization as GitHub Enterprise Cloud–only in credential types reference#43860
Conversation
Agent-Logs-Url: https://github.com/github/docs/sessions/80fc9a39-8af0-4f3e-8684-bf106bf329c4 Co-authored-by: myarb <11952755+myarb@users.noreply.github.com>
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksNote: Please update the URL for your staging server or codespace. The table shows the files in the
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server 🤖 This comment is automatically generated. |
jc-clark
left a comment
jc-clark
left a comment
There was a problem hiding this comment.
LGTM from a docs perspective. @wilsonwong1990, this is the PR Copilot opened from the Slack thread. What do you think of these changes?
There was a problem hiding this comment.
Pull request overview
This PR clarifies that SSO credential authorization behavior described in the credential types reference applies to {% data variables.product.prodname_ghe_cloud %} only, so readers on {% data variables.product.prodname_ghe_server %} don’t interpret cloud-only UI/API options as available on server.
Changes:
- Updated SSO authorization section intro and footnote to explicitly scope behavior to {% data variables.product.prodname_ghe_cloud %} and exclude {% data variables.product.prodname_ghe_server %}.
- Updated SSO-related revocation bullets (OAuth app tokens, GitHub App user access tokens) to add explicit {% data variables.product.prodname_ghe_cloud %}-only context.
- Updated “Revoking SSO authorization” guidance to clearly scope UI/REST/bulk actions to {% data variables.product.prodname_ghe_cloud %}.
Show a summary per file
| File | Description |
|---|---|
| content/organizations/managing-programmatic-access-to-your-organization/github-credential-types.md | Adds explicit cloud-only scoping for SSO credential authorization/revocation guidance throughout the reference. |
Copilot's findings
- Files reviewed: 1/1 changed files
- Comments generated: 2
| | `GITHUB_TOKEN` ({% data variables.product.prodname_actions %}) | {% octicon "x" aria-label="No" %} (repository-scoped) | Not applicable | | ||
|
|
||
| [^1]: SSO authorization is granted automatically when the user authorizes the app during an active SAML or OIDC session. These authorizations are not visible to users or admins in the {% data variables.product.github %} UI, and are not returned by the [List SAML SSO authorizations for an organization](/rest/orgs/orgs#list-saml-sso-authorizations-for-an-organization) REST API endpoint. | ||
| [^1]: On {% data variables.product.prodname_ghe_cloud %}, SSO authorization is granted automatically when the user authorizes the app during an active SAML or OIDC session. These authorizations are not visible to users or admins in the {% data variables.product.github %} UI, and are not returned by the [List SAML SSO authorizations for an organization](/rest/orgs/orgs#list-saml-sso-authorizations-for-an-organization) REST API endpoint. |
There was a problem hiding this comment.
Link text to another docs page should use AUTOTITLE rather than hardcoding the page title. Consider changing this REST docs link to the AUTOTITLE format so it stays accurate if the endpoint heading changes.
| [^1]: On {% data variables.product.prodname_ghe_cloud %}, SSO authorization is granted automatically when the user authorizes the app during an active SAML or OIDC session. These authorizations are not visible to users or admins in the {% data variables.product.github %} UI, and are not returned by the [List SAML SSO authorizations for an organization](/rest/orgs/orgs#list-saml-sso-authorizations-for-an-organization) REST API endpoint. | |
| [^1]: On {% data variables.product.prodname_ghe_cloud %}, SSO authorization is granted automatically when the user authorizes the app during an active SAML or OIDC session. These authorizations are not visible to users or admins in the {% data variables.product.github %} UI, and are not returned by the [AUTOTITLE](/rest/orgs/orgs#list-saml-sso-authorizations-for-an-organization) REST API endpoint. |
| * **Enterprise owners** can manage SSO authorizations for enterprises with enterprise-level SSO (including {% data variables.product.prodname_emus %}) via the {% data variables.product.github %} UI. See [AUTOTITLE](/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise#viewing-and-revoking-authorized-credentials). | ||
|
|
||
| You can also manage SSO authorizations via the REST API. See [AUTOTITLE](/rest/orgs/orgs?apiVersion=2022-11-28#list-saml-sso-authorizations-for-an-organization). | ||
| On {% data variables.product.prodname_ghe_cloud %}, you can also manage SSO authorizations via the REST API. See [AUTOTITLE](/rest/orgs/orgs?apiVersion=2022-11-28#list-saml-sso-authorizations-for-an-organization). |
There was a problem hiding this comment.
This REST link includes an apiVersion query parameter, which the docs style guide advises avoiding unless you’re intentionally pinning to a specific calendar version. Also, this endpoint is already linked in footnote [^1], so this is a repeated link within the article—consider removing one of the links (or rewording this sentence to refer back to the earlier link) to align with the “don’t repeat the same link” guidance.
| On {% data variables.product.prodname_ghe_cloud %}, you can also manage SSO authorizations via the REST API. See [AUTOTITLE](/rest/orgs/orgs?apiVersion=2022-11-28#list-saml-sso-authorizations-for-an-organization). | |
| On {% data variables.product.prodname_ghe_cloud %}, you can also manage SSO authorizations via the REST API. |
The SSO authorization section in
github-credential-types.mdwas rendered for all versions, which made GHES readers see guidance for UI/API options they do not have. This update tightens scope language so SSO credential authorization behavior is explicitly GHEC-only and explicitly excluded for GHES.Scope corrections in SSO authorization content
## SSO authorizationintro to start with GHEC context and explicitly state non-applicability to GHES.[^1]) to scope automatic app authorization behavior to GHEC.Scope corrections where SSO behavior is referenced outside the section
### Revoking SSO authorizationso REST/UI/bulk statements are explicitly GHEC-scoped.No version-conditional rendering changes
{% ifversion %}changes), preserving article structure and availability across versions.On {% data variables.product.prodname_ghe_cloud %}, when single sign-on (SSO) ... ... SSO credential authorization does not apply to {% data variables.product.prodname_ghe_server %}.Original prompt
This pull request was created from Copilot chat.